Compliance often drives data security, but is it enough? In today’s rapidly evolving cyberthreat landscape, regulatory compliance provides a foundation for strong security, but simply meeting compliance standards is no longer sufficient. Meeting compliance standards is essential to remaining on the right side of the law, but the controls only provide a minimum framework for the protection you need. Consider that compliance is only part of the outcome of an effective security program.
Compliance VS Security
Government agencies, non-profit groups, and special industry associations direct compliance standards, and create a blueprint for the protection of sensitive data. Enforcement and accountability occurs through audits and assessments that are either self-directed or conducted by a third party—where the end goal is to pass the compliance audit. Although seemingly similar, security is the sum of all the processes, policies, and tools that safeguard your data; it’s measured by risk mitigation and your ability to respond to threats. Compliance is necessary for organizations in regulated industries, while effective security is valuable to all organizations.
Start with Compliance Regulations. Augment with Data Security.
If you manage sensitive data, including electronic protected health information (ePHI) or financial information, you must adhere to regulatory compliance. In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) outlines regulations for protecting ePHI. The Payment Card Industry Data Security Standard, the Dodd-Frank Act, and the Sarbanes-Oxley Act provide guidelines for the financial industry, including financial technology companies.
Unfortunately, many businesses trust these regulations to provide adequate data security. In reality, compliance frameworks are not prescriptive—and must be adapted to meet your unique business needs, since no two environments are the same. Organizations like the U.S. Department of Health and Human Services and PCI Security Standards Council, who manage regulation content, only publish updates intermittently. Since threats are continuously changing, you need to build on your compliance efforts with frequent security updates—processes, technology, and risk management activities should be regularly tested and improved. Unlike compliance, where you follow rules and check off to-do’s, security requires an ongoing strategy that’s never fully “complete.”
With cybercrime costs projected to rise to an estimated $2 trillion this year, you can’t afford to place blind trust in regulatory guidelines. If you want to educate yourself on the latest security best practices, we recommend these trusted sources: The International Standards Organization (ISO), National Institute of Standards and Technology (NIST), World Wide Web Consortium (W3C) and the Cloud Standards Consumer Council.
Are You Using These Best Practices?
“Moving from a compliance mindset to one focused on managing and mitigating risk can be difficult, but is important and necessary in this dynamic and often dangerous world,” says SVP and CIO Christian Anschuetz for CIO.com.
Every year, security-conscious organizations must revisit their security management operations. Continual optimization is the key to risk management. Keep these data security best practices in mind as you improve your policies and procedures:
- Focus on risk management for data security. Develop a formal guide with your risk management policies and make sure everyone has access to it. Include risk-awareness updates, considerations for new technology adoption, and specific use-cases. Classify policy items as core security practices and train your staff on new cybercrime vulnerabilities. A risk management framework will contain several policies, such as:
- Risk management policy
- Information systems security policy
- Information classification policy
- Incident response plan
It’s not enough to simply develop these security control policies; you must also monitor and continuously evaluate them against all possible risks. Plan frequent reevaluations of asset values and analyze the risk landscape to be sure your security efforts remain relevant and adequate. Be aware that despite your best efforts, incidents can happen. Your ability to detect, respond, and manage incidents makes all the difference.
- Strengthen key vulnerabilities. Many cybercriminals target the path of least resistance, which often leads them to socially engineered attacks, spoofing attacks, and IoT device vulnerabilities. Vulnerabilities differ by culture, work habits, and technology practices. Find the weakest links in your organization and strengthen them through training, redundancy, and the latest security practices—such as encryption, advanced firewall protection, and intelligent network and systems monitoring.
As you move more of your workloads to the cloud, also consider that you’ll need different dataprotection, as cloud security requires layers of logical security. Encryption, key management, user access control, and multi-factor authentication improve security for data that’s transferred in and out of the cloud. Although it seems obvious, not everyone has been able to wrap their mind around security in the cloud. When the use of encrypted storage on portable devices and laptops increased in 2017, the healthcare industry experienced a reduction in the exposure of ePHI, compared to previous years, according to the HIPAA Journal.
- Flesh out disaster recovery and contingency plans. Impenetrability is an impossible goal, so prepare for the unexpected. Disaster recovery and business continuity planning plays a vital role in your ability to quickly contain and recover in the event of an attack. Your organization needs proper data backups, data recovery systems, alerting tools, containment protocols and stakeholder information to remain proactive during a crisis.
- Automate security processes and alerts when possible. Manual security requires a lot of resources. While some activities should remain manual, automation tools can assist with access log reporting, threat correlations, patch management, malware detection, security information and event management (SIEM), and more. Automated tools help IT departments prioritize their security practices for improved risk management over time.
- Vet vendors and develop security agreements. As-a-service solutions create new and diverse networks of vendor and partner agreements. Each endpoint and network connection represents a potential vulnerability. You should clearly identify and track who is in charge of what when it comes to data security and include that information in your service provider contracts. Data security documentation, vulnerability disclosure, and incident response management strengthen B2B relationships.
- Communicate often. While automated tools and secure solutions offer an ever-expanding array of risk management opportunities, you must communicate with your stakeholders. Employees need ongoing training for new vulnerabilities. Be transparent about your security policies and don’t be shy about asking providers for their accreditations. Knowledge sharing underpins all data security best practices.
2017 was a rough year for many organizations, with security breaches affecting everyone from Equifax to the NSA in the Wannacry data leak. Learn from their mistakes, and plan to expand your IT strategy to include best practices for data security and risk management this year.
Additional Resources on This Topic:
- 6 Tips to Go Beyond Compliance for Effective Data Security - April 11, 2018